What is an Electronic Service Provider PHIPA?

Under Ontario’s Personal Health Information Protection Act (PHIPA), an electronic service provider (ESP) is someone who supplies services that enable a health information custodian to collect, use, modify, disclose, retain or dispose of personal health information. ESPs are bound by specific PHIPA rules. The subject of electronic service provider PHIPA is discussed below.

Electronic Service Provider PHIPA Responsibilities as an Agent

The nature of electronic service provider PHIPA requirements depends upon whether the electronic service provider is an agent of the health information custodian.

Electronic Service Provider PHIPA

An agent of a health information custodian includes anyone whom the custodian has authorized to perform specific services or activities regarding PHI. For a custodian-agent relationship to exist, the services or activities must be performed on the custodian’s behalf, and for the custodian’s purposes. When an ESP is an agent of an HIC, the ESP must obtain the custodian’s permission to collect, use, disclose, retain or dispose of personal health information.

Want to learn more about Canadian data privacy compliance? Click here

Electronic Service Provider PHIPA Responsibilities as a Non-Agent

Electronic service provider PHIPA requirements differ when the electronic service provider is not an agent of the health information custodian. Section 6 of PHIPA applies to ESPs who are not agents. 

Section 6 prohibits these non-agent ESPs from:  

  • Using any personal health information to which they have access in the course of providing services for custodians, except as necessary in the course of providing those services.
  • Disclosing any personal health information to which they have access in the course of providing the services.
  • Permitting their employees, or any person acting on their behalf, to have access to personal health information, unless the employee or person acting on their behalf agrees to comply with the restrictions that apply to the ESP.

PHIPA and Health Information Network Providers

Under PHIPA, there is a special type of ESP known as a HINP, which is short for Health Information Network Providers. A HINP is someone who provides services to two or more custodians, where the services primarily enable the custodians to use electronic means to disclose health information to each other.

HINPs are subject to additional obligations under PHIPA. HINPs must fulfill the duties and obligations in section 6 of PHIPA. 

HINPs must:

  • Notify custodians if an unauthorized person accessed information or the HINP accessed information for unauthorized purposes. HINPs must notify custodians of a breach at the first reasonable opportunity.
  • Conduct and provide a copy of the results of privacy impact assessments and threat, vulnerability and risk assessments to the custodians.
  • Enter into an agreement with the custodians describing the services and safeguards related to confidentiality and security of the information. This agreement must be in plain language and must include a general description of safeguards to protect against breaches.
  • Make available to custodians, on request, a record of all accesses and transfers to the extent, and in a manner, that is reasonably practical to do so. 

HINPs must also:

  • Make the plain language description of their services available to the public; and
  • Make available to the public any directives, guidelines, and policies related to their services.